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(57) Abstract 

A digital plant protection system for use in nuclear power plants of the pressurized type j^^^^^f 
sensed-pSer pix)cessing channels (CH<A, Cft-B. CH-C. CH-D) that provide a suimbbr conditioned ^^J^Z^^'^^^^^^ 
So^aSthewnditioma digital vahieagain^ 
m comparator is associated wUh each of the pluJcha^^ 

If a sensed-paramcter is determined to be out-of-specification by 2 of 4 or more charaiels. a W signal is generated to effea remeoiai 
action. - 
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DIGITAL PLANT PROTECTION SYSTEM 

The subject matter of the present application is disclosed in applicants' co- 
pending Provisional U.S. Patent Application Nos. 60/048.922 and 60/048,923. 
5 both filed June 6, 1997, from both of which priority is claimed. 

CROSS REFERENCE TO RELATED APPLICATION 

The subject matter of this provisional application generally relates to the 
10 subject matter in pending U.S. Application, Serial No. 08/848,556, filed April 29, 
1997, based on a provisional application filed on June 20, 1996, the disclosure of 
which is incorporated herewith for completeness of disclosure. In addition, the 
subject matter of this application is related to that disclosed in an application 
(Atty. Docket ABB-165) filed on even date herewith by the present inventors and 
15 entitled "Digital Engineered Safety Features Actuation System," the subject matter 
of which is incorporated herein by reference. 

BACKGROUND OF THE INVENTION 

20 The present invention relates to digital plant protection systems for nuclear 

power plants and, more particularly, to a Digital Plant Protection System (DPPS) 
for pressurized water reactors. 

In nuclear power plants, independent shut-down and safe-operation 
25 systems are dedicated to monitoring plant operation and evaluating numerous 
safety-related parameters. In the event one or more measured parameters indicate 
the existence of an unsafe condition, the shut-down system designed to mitigate 
the effects of an anticipated transient condition and/or the safe-operation system 
can automatically effect the appropriate remedial action. It is imperative that these 
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10 



15 



safety control systems, known as plant protection systems, operate reliably, and 
accordingly, it is imperative that all measured and sensed parameters be valid. 



measure a multitude of parameters related to plant operation. These parameters 
include, for example, temperatures, pressures, flow rates, power density, neutron 
flux, fluid levels etc. Other functions of the plant protection system include the 
status-monitoring of various components including valves, pumps, motors, control 
devices and generators. 

Additionally, the plant protection system, under certain defined conditions, 
may initiate a reactor trip (RT), i.e., the rapid, controlled, and safe shut-down of 
the reactor by actuating various field systems and remote actuation devices. In the 
case of a pressurized light water reactor, the shut-down is often accomplished by 
the dropping of moderating control rods into the reactor core to cause the reactor 
to become sub-critical. 

In co-pending U.S. /^j&ication Serial No. 08/848,556 noted above, an 
invention for use in the nuclqjar indus^ is disclosed for providing an Automatic 
Self-Testmg system for remQte;s|nsors utilizing multi-sensor, multi-channel 
redundant monitoring and control cir<iuits. The system senses or measures a 
parameter by a plurality of independent and sensor specific processing paths, each 
of which is provided with parallel redundant sub-paths that can each be 
sequentially inserted into thei<pr6cessing path to effect normal processing or be 
disassociated fi-om the processing path to effect testing. Each sensor provides, 
either directly or indirectly, a. digital value to a comparator which compares the 
measured value with a pre-determined value that is, in turn, provided to 
coincidence logic that evaluaites the output of its comparator with the input of the 
comparators of the other proces^rig paths to provide an output indicative of a 



In the context of nuclear plant protection systems, it is not uncommon to 
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pass/fail condition. That invention advantageously provides an automatic self- 
testing system for verifying both the signal path processing functions and the 
validity of various logic states in parameter sensing systems, particularly 
parameter sensing systems using multiple redundant processing paths. 

5 

In co-pending U.S. Provisional Application Serial No. 60/048,923, noted 
above, an invention for use in the nuclear industry is disclosed for providing a 
Digital Engineered Safety Features Actuation System (DESFAS) which acts as an 
interface between a Plant Protection System and Engineered Safety Features in a 

10 nuclear power plant. The DESFAS continuously monitors the Plant Protection 
System initiation circuit for each remotely actuated Engineered Safety Feature 
system to effect remedial action in the event that the Plant Protection System 
generates a *trip' signal. By using actuation inputs from the Plant Protection 
System and manual, operator implemented inputs, controls are provided for 

15 remote equipment components, such as solenoid valves, motor operated valves, 
pumps, fans and dampers. Together, the DPPS of the present mvention, the 
Automatic Self Testing System described above and the DESFAS described above 
constitute a nuclear plant reactor protection system. 

20 Most plant protection systems m use are of the analog variety in which 

analog values are processed via dedicated hard-wiring to various active devices, 
e.g., operational amplifiers. These systems are typically complex and require 
substantial maintenance. More problematic, however, is the functional "drift" 
associated with the use of numerous operational amplifiers. 

25 

Operational amplifier drift is a condition in which the gain of the amplifier 
changes over time, usually due to the aging of the semiconductor material and the 
resistive and capacitive devices within the operational amplifier. 
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As can be appreciated, in a worst case situation, drift errors can 
concatenate to produce less than valid output values. Analog systems can be 
particularly difficult to troubleshoot where the problem is an out of specification 
component that is otherwise fully operational. Thus, the problem of locating those 
5 operational amplifiers that have drifted to an out-of-specification condition can be 
time consuming and, of course, expensive. 

The problem of operational amplifier drift has been addressed at the design 
stage by incorporating risk/uncertainty factors that are larger than those required if 
10 drift was not a problem. These risk/uncertainty factors oftentimes require the 
power plant to operate at lower power output levels than otherwise would be 
possible. 

SUMMARY OF THE INVENTION 

15 It is an object of the present invention to provide a plant protection system 

for use with pressurized water reactors that is primarily digital and which has a 
greater mean time between failures. 

It is another object of the present invention to provide a plant protection 
20 system that is simpler to maintain than prior analog systems. 

It is still another object of the present invention to provide a plant 
protection system that offers convenient expandability and extensive self- 
diagnostic capability. 

25 

It is still a fiirther object of the present invention to provide a plant 
protection system that utilizes substantially less wiring than prior systems. 
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It is still a further object of the present invention to provide a plant 
protection system that has an open architecture to allow convenient connection to 
other electronic systems utilized in a nuclear power plant 

5 The present invention provides a Digital Plant Protection System (DPPS) 

for use in nuclear power plants of the pressurized water type. The system is 
characterized by a plurality of cross-connected sensed-parameter processing 
channels that provide a suitably conditioned digital value to a digital comparator 
that tests tiie conditioned digital value against a pre-determined value to determine 

10 whether or not the pre-determined value has been exceeded. A comparator is 

associated with each of tiie multiple channels and receives a separate measurement 
of the sensed parameter for each channel. If a sensed-parameter is determined to 
be out-of-specification on a two-out-of-four basis, a 'trip* signal is generated to 
effect remedial action. 

15 

The present invention advantageously provides a digital plant protection 
system that utilizes digital signals that provide a system that overcomes the 
problems associated witii drift in prior analog systems and which has increased 
operational reliability, maintainability, reconfigurability, and connectivity to other 

20 systems. 

Other objects and further scope of applicability of the present invention 
will become apparent from the detailed description to follow, taken in conjunction 
witfi the accompanying drawing, in which like parts are designed by like reference 
25 characters. 

BRIEF DESCRIPTION OF THE DRAWING 
FIG. 1 is schematic block diagram of a four safety-channel system and 
their internal components. 
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FIG. 2 is a detailed block diagram of a single safety-channel. 

FIG. 3 is a flow diagram illustrating the overall function of the four safety- 
5 channels of FIG. 1. 

FIG. 4 is a pictorial plan view of a printed circuit board with board- 
mounted relays and voltage dropping resistors. 

10 FIG. 4A is a pictorial plan view of the printed circuit board of FIG. 4 with 

connecting jumpers substituted for the resistors. 

FIG. 4B is a schematic circuit diagram of a voltage-dropping resistor in 
series with the coil of its relay. 

15 

FIG. 4C is a schematic circuit diagram of a jumper wire in substitution for 
the voltage dropping resistor. 

FIG. 5 is a schematic block view of an optical modem. 

20 

FIG. 5 A is a schematic block view of an input and an output optical cable 
connected together via fiber optic coupling. 

FIG. 6 is a schematic block diagram of four channels in which the interface 
25 and test processor of each channel communicates with those of the other channels 
via a fiber optic bus. 

FIG. 6A illustrates the optical interconnect in a quad-port optical 
distributor during powered-on state. 

6 

SUBSTITUTE SHEET (RULE 26) 

aNSCXXID: <WO_98S6009A1J_> 



wo 98/56009 



PCTAJS98/10744 



FIG. 6B illustrates the optical interconnect loop pathway in the quad-port 
optical distributor of FIG. 6A in the absence of power. 

5 FIG. 7 is a schematic circuit of an optical coupler used to effect a measure 

of optical isolation. 

Fia 8 is a perspective view of a submodule carrier 35 board with modem 
devices mounted thereof. 

iO 

FIG. 8A is a schematic block diagram of a single channel showing the 
manner by which a interface & test processor communicates with two separate 
trains for the engineered safety system. 

15 FIG. 9 is a schematic block diagram of an interface between a digital plant 

protection channel and two trains of the digital engineer safety feature system. 

FIG. 10 is a schematic block diagram of the manner by which traffic on the 
communication bus of the digital plant protection system is translated to the 
20 Ethernet Standard. 

^ ^ ■ 

FIG. lOA is a flow diagram by which data of the block diagram of FIG. 10 
is processed for Ethernet connpatibility. 

25 FIG. lOB is a flow diagram augmenting the flow diagram of FIG. lOA. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 
The overall functional organization of the present invention is shown in 
schematic block form in FIG. 1 and designated generally therein by the reference 



7 

SUBSnTUTESHEET(RULE26) 



wo 98/56009 



PCTAJS98/10744 



character 10. As shown in FIG. 1, the system 10 is divided into four separate 
channels, Ch. A, Ch. B, Ch. C, and Ch. D. The channels are physically separated 
from one another as indicated by the solid vertical lines separating the channels. 
As explained below, however, the various channels are cross-connected with each 
5 other by optical fiber communication paths. Each channel includes a bistable 
processor 30, a trip signal distributor 40, a coincidence logic processor 50, and 
initiation logic 60. 

The bistable processor of each channel accepts the output of the sensor 20 

10 associated with that channel. The sensor 20 may be of the analog type that 

provides an analog signal which is then subject to an analog4o-digital conversion 
(as explained below in relationship to FIGS. 2 and 3), to provide a digital data 
word to the bistable processor 30. In the event that the sensor 20 is a direct digital 
type, i.e., an optical rotary or linear displacement device, the digital output of the 

15 sensor 20 may be provided directly to the bistable processor 30. As explained in 
more detail below, the bistable processor 30 can conduct pretrip and trip testing of 
the digital sensor value relative to a pretrip value and a trip value. In the context 
of FIG. 1, in the event a trip condition is detected, a 'trip' signal is provided to the 
coincidence logic processor 50 of channel A as well as to the coincidence logic 

20 processors 50 of the other channels, viz., Ch. B, Ch. C, and Ch. D. The connection 
between the Ch. A of FIG. 1 and the other channels is shown in dotted line 
illustration to indicate a fiber optic connection, which connection provides a 
desired electrical isolation between the channels. The coincidence logic processor 
50 determines if a 2of4 condition (i.e.^ a 2-out-of-four condition) exists for a 'trip' 

25 condition relative to its four inputs, i.e.,.its local input from its trip signal 

distributor 40 and the 'trip condition' signal from the other three channels, i.e., Ch. 
B, Ch, C, and Ch. D. If a 2of4 condition is detected, the initiation logic 60 
provides the necessary signals to effect a reactor trip (RT) and actuate the digital 
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engineered safety features. A reactor trip can involve causing the reactor control 
rods to drop into the reactor core to arrest operation of the core. 

FIG. 2 illustrates the functional organization of a smgle channel, channel 

5 A, of FIG. 1 . As shown, the sensor 20 output, which can be subjected to signal 
conditioning (filtering, scaling, amplification, etc.) is provided to an analog-to- 
digital (A/D) converter 25 to provide a digital data word as an output. The digital 
data word is presented to the bistable processor 30 which effects an initial 
comparison of the data word with a pre-stored value indicative of a pretrip 

10 condition. A pretrip condition is a pre-determined point or value of the digital 

data word which approaches a trip condition while still allowing manual or system 
mtervention to prevent a reactor trip. When the bistable processor detects a pretrip 
condition, a pretrip alarm is actuated (i.e., "set") to alert a reactor operator of a 
possible impending trip condition. Thereafter, the data word is tested against 

15 another pre-stored value indicative of a trip condition, and, if a trip condition is 
detected, a "trip" output is provided to the coincidence logic unit 50 of Channel A 
as well as to the coincidence logic units of the other channels, i.e., channels B, C, 
and D via the cross channel processors. In the event that a 2of4 (2 out of 4) 
condition exists, a trip signal actuates the Reactor Trip Breakers and the Digital 

20 Engineered Safety Features Actuation System (DESFAS). 

The functional sequence of an individual channel of FIG. 1 is presented in 
FIG. 3; while the flow diagram of FIG. 3 represents the fimctional sequence of a 
single channel, it is representative of the functional flow of the other channels. As 
25 shown, the system is initialized and the analog output of the various sensors 20 is 
read and inputted into the channel. Thereafter, the analog input values are subject 
to an analog-to-digital conversion provide a multibit data word that is then 
transferred to the bistable logic processor 30. The bistable logic processor 30 then 
compares the digital data words to stored setpoint values to determine if a pre-trip 
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condition exists; if a pretrip condition does not exist (i.e., the measured value is 
within specification), the operational flow returns to read analog inputs step to 
repeat the operational process. If a pre-trip condition is determined to exist, a pre- 
trip alarm signal is sent to the other processing channels and to the operator. Since 

5 the flow diagram of FIG. 3 is representative of Channel A of FIGS. 1 and 2, the 
pre-trip alarm signal is sent to channels B, C, and D. The pre-trip alarm signal 
actuates an alarm to indicate the pre-trip condition that may be a pre-cursor to a 
trip condition. If a pre-trip condition is also present, the data word is then subject 
to a "trip test" in which the value of the data word is compared to a stored value 

10 representative of a true **trip" condition. If a true "trip" condition is not detected, 
the operational flow returns to the read analog input step to repeat the operational 
flow. If a trip condition is detected, a trip-condition alarm is actuated, and trip- 
condition signals are sent to the other three channels and stored. Operational flow 
then proceeds to the 2of4 (2 out of 4) coincidence logic unit which receives the 

15 output of the 2of4 coincidence logic units of the other three channels. The trip 
condition of all four inputs is then evaluated and if at least two inputs indicate a 
trip condition, the 2of4 logic coincidence unit provides a trip output to a control 
relay, which, in turn, provides an output to the reactor trip breakers and to the 
digital engineered safety feature actuation system (DESFAS). 

20 

The system utilizes electromechanical relays as part of its operation 
system. In general, commercial programmable logic controllers (PLC), depending 
upon their manufacturer, provide a 24 VDC output or a 12 VDC output to 
energize or de-energize the coil of a power-switching relay. Oftentimes, relays 
25 that are optimally suited for a particular power-switching function are those 

designed to be energized by 12 VDC and these relays must often be mated to a 24 
VDC PLC. In order to provide a measure of installation flexibility for 12 VDC 
relays in those situations in which the relay can be driven by either a 12 VDC or a 
24 VDC source, the present invention utilizes a printed circuit board (PCB) 
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mounted relay organization that can be used in either 24 VDC or 12 VDC 
systems. As shown in FIG. 4, a printed circuit board PCB is provided with two 
relays Kl and K2 and two voltage-dropping resistors Rl and R2. The relays Kl and 
K2 have 12 VDC coils and may be obtained, for example, from the KiloVac 

5 Corporation. As shown in FIG. 4B (for the relay Kl) the voltage-dropping resistor 
Rl is in series-circuit with the coil of the relay Kl. The resistance value of the 
voltage-dropping resistor Rl is chosen so that the resistor Rl and the coil Kl define 
a voltage divider that will provide 12 VDC to the coil Kl when the supply voltage 
is 24 VDC. In this way, a 12 VDC relay can be used with a 24 VDC supply. In 

10 the event that the relay Kl is to be used with a 1 2 VDC supply, the voltage- 
dropping resistor Rl is removed and a wire jumper JPl is wired or otherwise 
inserted into the circuit in substitution for voltage dropping resistor Rl. As shown 
in the diagram of HG. 4C, the jumper JPl allows the 12 VDC coil Kl to be 
connected directly to a 12 VDC source. The circuitry for the relay K2 is the same 

15 as described for the relay Kl. In FIG. 4B, a second resistor (unnumbered) is 

shown in dotted line illustration; this second resistor may used use to define a true 
voltage divider with the resistor Rl with the operating voltage for the coil of the 
relay Kl provided from the intermediate connection between the two resistors. 

20 The digital plant protection system of the present invention utilizes fiber 

optic interconnects between its various channel as well as for overall data 
communication. As part of tiie fiber optic systems, various electi-ically powered 
modems are interposed within the fiber optic circuit. As shown in FIG. 5, a 
modem M is provided with an input cable IN and output cable OUT, both cables 

25 connected to tiie modem M by conventional connectors ST. Additionally, the 
modem M is provided with source power PWR. In accordance with tiie present 
invention, a conventional fiber optic connector FOC is removably attached or 
otherwise mounted to or associated with tiie modem M. For example, tiie fiber 
optic connector FOC can be mounted to tiie modem M by a bracket (not shown) or 
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connected to the modem M by a flexible lanyard. In the event that the modem M 
undergoes an internal failure or loses power, the modem M may be bypassed by 
disconnecting the input cable IN and the output cable OUT and connecting these 
cable together via the fiber optic coupler FOC as shown in FIG. 5 A to thereby 
5 maintain the physical and optical integrity of the fiber optic pathway. 

As explained above in relationship to FIG. 1, the overall system 
architecture includes four physically separate parameter-sensing channels that 
effect cross-channel conmiunication via a fiber optic link. Additionally, each 

10 channel receives its operating power fi"om a separate power supply; if the power 
inverter that supplies power to a single channel fails, only that chaimel becomes 
inoperative. As shown in the representative FIG. 6 for the interface & test 
processors ITP of the channels, each interface & test processor ITP conmiunicates 
via various optical modems or transceivers XCVR via a optical fiber pathway 

15 (shown as commvmication bus CB in the lower part of FIG. 6). As shown, the 

various transceivers XCVR are inserted into and interposed in the communications 
bus CB. In the event power to a particular channel is lost, the loss of the 
associated transceivers XCVR can interrupt the optical integrity of the 
communications bus CB. In order to address this problem and assure the 

20 operational integrity of the communications bus, the present invention provides 
quadport optical distributors that defauh to optical redirection upon a loss of 
power. As shown in FIG. 6A, each optical distributor D is designed to be powered 
by the 24 VDC supplied by the power supply associated with its channel (i.e., 
channel A, channel B, channel C, or channel D). Each distributor D includes 

25 paired optical input/output ports, port 1 paired with port 1 A and port 2 paired with 
port 2A. Additionally, each distributor includes internal optical "T' switches (not 
shown), or their functional equivalent, that can redirect the incoming and outgoing 
optical signals along one of two internal paths in accordance with their powered- 
on or power-off states. The optical switches are connected so that when all optical 
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switches are powered-on, optical signals are passed directly through the distributor 
D between input/output port pairs. Thus, during the powered-on state, optical 
signals will pass between ports 1 and 1 A and between ports 2 and 2A. In the 
powered-on state, the optical (listributor is essentially transparent to the network. 

5 In the event that the power is lost in one (or more) of the channels, the optical 
distributor, upon loss of power, switches the optical pathway so as to effectively 
loop the optical signals and thereby effectively provide a loop termination so as to 
adapt the communications bus CB to continue operation with a missing channel. 
As shown in FIG. 6B, the optical switches, upon the loss of a power supply, 

10 automatically default to connect the port 1 to the port 2 and to connect the port 1 A 
to the port 2A to effect a loop-termination on both sides of the distributor D. In the 
case of a loss of power in channel A and to the distributor D on the left in FIG. 6, 
the distributor D would defeult to a loop termination mode to thereby preserve the 
integrity of the communications bus CB for the remaining powered-on channels 

15 B, C, and D. Suitable fiber optic switches using internal solenoids to move 
reflectors are manufactured by;Molex. Inc. 



In the design of plarit proteciidn systems it is important that circuits be 
isolated from one another so ihat an over-voltage situation in one circuit will not 

20 affect the operation of anotherj^circmt- In general, the digital plant protection 
system disclosed herein utilizes programmable logic controllers (PLC) that are 
designed to provide a 24 VDGiputput that is switched on or off under the conlrol 
of the programmed logic. Sirice Ihe PLCs are critical to system operation, it is 
important that they be isolated from over-voltage situations. In accordance with 

25 the present invention, system integrity is assured by utilizing optical couplers at 
the output of the PLCs and in all other voltage-switching contexts. As shown in 
FIG. 7, the optical coupler CiQ includes a pair of PN light emitting diode, Dl and 
D2, that are parallel connected (in opposing conduction directions) across input 
teraiinals INI and IN2. A b'c ijiput voltage applied to the input terminals INI and 
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IN2 will cause one of the two diodes (depending upon the polarity of the input 
voltage) to emit light. A photo-transistor PT has its emitter and base connected 
between output terminals OUTl and 0UT2 and undergoes a change in 
transconductance as a function of the light emitted by the diode(s) driven into 

5 conduction. As a consequence, voltage levels applied to the terminals INI and 
IN2 will cause a corresponding change in the transconductance of the photo- 
transistor PT. The input-to- output electrical isolation provided by a typical 
optical coupler can be in the 3-5 kilovolt range; accordingly, the isolation 
provided by opto-coupler can assure system integrity. In the context of digital 

10 plant protection systems, which require all devices to meet the IEEE Class IE 
requirement, the use of opto-couplers in this context serves to increase system 
reliability. 

It is not uncommon in the design of large systems to use different types of 
15 bus protocols and communications systems. In the present invention, the bus 
protocol is of the basic token-ring network type. In many systems, an industry 
standard MODBUS is used, this system being a variant of the IEEE RS-232 
standard. The present invention employs a system by which interface cards for 
various systems can be used to provide seamless interfacing between systems. As 
20 shovm in FIG. 8, a submodule carrier board SCB is provided to accept interface 
cards, such as the interface cards ICl and IC2 shown. In accordance with the 
present invention, at least one of those cards is an ABB CI-532 card which allows 
interfacing with the MODBUS system and the proprietary ABB system. The 
provision of interface cards allows for easy and seamless interfacing between 
25 different network protocols. FIG. 8A illustrates an application in which muhi- 

protocol cards can be used. As shown on the lower left and right of FIG. 8 A, train 
"A" and train "B" of the Digital Engineered Safety Features Actuation System 
(DESFAS) of the above referenced and incorporated patent application utilize 
programmable logic controllers (PLC) that communicate with the integrated test 
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processor ITP of the digital plant protection system DPPS via fiber optic data links 
DLl and DL2. In FIG. 8, the programmable logic controller PLC each have a 
MODBUS port. In order to effect seamless interfecing with the main system bus, 
the interface test processor ITP is provided with an ABB CI 535 or similar card to 
5 effect interfacing. 

The present invention effect interfacing between the various channels of 
the digital plant protection system and the two trains of the DESFAS via fiber 
optic cable and RS-232 modems. As shown in FIG. 9, communication between 

10 the interface test processor ITP and train A and train B is accomplished over two 
fiber optic cables, FOCI and F0C2. Two fiber optic modems (RS-232 standard), 
MIA and M2A are mounted in the maintenance/test panels M/T and coupled to the 
fiber optic cables FOCI and F0C2, respectively. In a similar manner, a fiber 
optic modem MIB is mounted in the digital engineered safety system of train "A" 

15 and another modem M2B is similarly mounted in train "B". The use of the fiber 
optic data links in the form of cables FOCI and F0C2 and the related RS-232 
modems eliminates previously reqmred isolator and field termination equipment. 
Additionally, the number of mechanical and electrical devices is reduced 
compared to prior systems as well as the time required for in-the-field wiring. 

20 

Equipment used in nuclear power plants must meet IEEE Category 1 
standards, particularly with regard to die ability to survive seismic events. In 
general, Category I equipment is quite expensive. However, it is oftentimes 
appropriate to connect the plant protection system to other devices which do not 
25 require Category I capability. As shown in FIG. 1 0, the network interface 

capability is presented in which traffic on the digital plant protection system bus 
PB is tapped at a "IT' connector and routed to an AT-class (or higher) personal 
computer PC. An electro-luminescent display ELD is provided to output the 
computer PC video information. An CI 526 board (manufactured by ABB) in 
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mounted on the computer PC internal bus along with a standard Ethernet card E. 
As explained below, the CI 526 card interfaces with the Ethernet card so that all 
traffic on the DPPS bus PB is translated into the Ethernet protocol for 
transmission on an external Ethernet EN. The CI 526 card operates pursuant to 

5 the flow diagrams of FIGS. lOA and lOB. As shown in FIG. lOA, the system is 
initialized and the operating system, device drivers, windows software, and the 
ABB "Advasoft" software is loaded (steps S1-S5) At step S6, any sending node 
data is received and presented for display at S7 and also converted at step S8 to 
Ethernet protocol. The converted data is sent to the RAM in the Ethernet card at 

10 S9 and then sent via the Ethernet protocol to the main plant computer (SIO.) 

Additionally, request are made at the touch-responsive screen ELD (at SI 2) and 
those requests processed (at SI 3) and send to the CI526 RAM (at 814) with the 
data being sent to the network node (at S 1 5) with status checking and cyclic 
redundancy checking CRC being effected at SI 6 and SI 7. 

15 

The flow diagram of FIG. 1 OB is a variant of the operational flow of FIG. 
lOA. As will be apparent to those skilled in the art, various changes and 
modifications may be made to the illustrated embodiment of the digital plant 
protection system of the present invention without departing fix)m the spirit and 
20 scope of the invention as determined in the appended claims and their legal 
equivalent. 

Preferred embodiments of the present invention have been disclosed. A 
person of ordinary skill in the art will realize, however, that certain modifications 
25 and alternative forms will come within the teachings of this invention. Therefore, 
the following claims should be studied to determine the true scope and content of 
the invention. 
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CLAIMS 

What is claimed is: 

5 1 . A digital plant protection system for use in nuclear power plants, 

comprising: 

a first plurality of substantially identical independent sensed- 
parameter processing channels, each of which accepts a digital value 
representative of a sensed-parameter; 

10 a digital comparator associated with each sensed-parameter 

processing channel for comparing said digital value of the sensed parameter with a 
predetermined digital value indicative of a pre-trip condition and generating a pre- 
trip output if said pre-trip condition is detected, said comparator further comparing 
said digital value with a second predetermined digital value indicative of a trip 

15 condition and generating a trip output if said trip condition is detected; and 

a coincidence logic processor associated with each said sensed- 
parameter processing channel for receiving said trip output from said digital 
comparator, said coincidence logic processor further cross-connected to every 
sensed-parameter processing channels for receiving separate trip outputs from 

20 digital comparators within each said channel, wherein said coincidence logic 
processor generates a trip signal for effecting remedial action upon receipt of trip 
outputs satisfying a two-out-of-four condition. 

2. A digital plant protection system for use in nuclear power plants as 
25 in claim 1 , wherein said first plurality is four. 

3 . A digital plant protection system for use in nuclear power plants as 
in claim 1, wherein each said comparator further includes a bistable processor. 
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4. A digital plant protection system for use in nuclear power plants as 
in claim 3, wherein said digital value is received by said bistable processor which 
effects said comparison of said digital value of the sensed parameter with said 
predetermined digital value indicative of a pre-trip condition. 

5 

5. A digital plant protection system for use in nuclear power plants as 
in claim 4, wherein said bistable processor effects said further comparison of said 
digital value with said second predetermined digital value indicative of a trip 
condition and provides said trip output to said coincidence logic processor if said 

10 trip condition is detected. 

6. A digital plant protection system for use in nuclear power plants as 
in claim 1, wherein said trip signal for effecting remedial action is received by a 
Digital Engineered Safety Features Actuation System. 

15 

7. A digital plant protection system for use in nuclear power plants as 
in claim 1, wherein said trip signal for effecting remedial action is received by 
reactor trip breakers. 

20 8. A digital plant protection system for use in nuclear power plants as 

in claim 7, wherein said trip breakers are actuated using high energy relays which 
accommodate either 12 VDC or 24 VDC actuation outputs 



9. A digital plant protection system for use in nuclear power plants as 
25 in claim 6, wherein said trip signal for effecting remedial action is also received 
by reactor trip breakers. 
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10. A digital plant protection system for use in nuclear power plants as 
in claim 9, wherein said trip breakers are actuated using high energy relays which 
accommodate either 12 VDC or 24 VDC actuation outputs. 

5 1 1 . A digital plant protection system for use in nuclear power plants as 

in claim 10, wherein trip signal is optically isolated to prevent input feedback. 

12. A digital plant protection system for use in nuclear power plants as 
in claim 6, wherein trip signal is optically isolated to prevent input feedback. 

10 

13. A digital plant protection system for use in nuclear power plants as 
in claim 1 , wherein said channels are cross-connected using fiber optic data links. 

14. A digital plant protection system for use in nuclear power plants as 
15 in claim 1 , wherein each channel further includes a maintenance and test panel 

and an interface and test processor for communicating with engineered safety 
features systems. 

15. A digital plant protection system for use in nuclear power plants as 
20 in claim 13, wherein each said interface and test processor communicates with 

said engineered safety features system via fiber optic data links. 

1 6. A digital plant protection system for use in nuclear power plants as 
in claim 14, wherein said interface and test processor fiirther includes quadport 

25 optical distributors that redirect fiber optic data upon a loss of power. 

17. A digital plant protection system for use in nuclear power plants as 
in claim 15, wherein said optical distributors provide loop termination upon loss 
of power to protect said fiber optic data line integrity. 
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18. A digital plant protection system for use in nuclear power plants as 
in claim 13, wherein said interface and test processor may initiate testing of the 
logic within said charmels, * i 

5 

1 9. A digital plant protection system for use in nuclear power plants as 
in claim 17, wherein each mterface and test processor further includes a separate 
I/O module and a separate progranwnable logic circuit. 

10 20. A method for monitoring all safety related system parameters 

within a nuclear power plant, comprising: 

cross-connecting a first plurality of substantially identical 
independent processing channels; 

within each said channel iFiirther comprising the steps of: 
15 receiving a second plurality of conditioned digital input signals 

representative of a sensed parameter; 

comparing said digital input signals with a first pre-determined 
Stored digital value indicative-of a pre-trip condition; 

generating aridjtrahsmitting a pre-trip output to all said channels if 
20 said pre-trip condition is det^q^ed; 

receiving pre-Mg sigtials from all said channels if said pre-trip 

' ' ' 

condition is detected; s 7^ 

comparing saidjdigitai input signals with a second pre-determined 
stored digital value indicative pf a trip condition if said pretrip output is received; 
25 generating and transmitting a trip output to coincidence logic 

processors within each said channel if said trip condition is detected, wherein said 
coincidence logic processors geiiferate a trip signal if said trip output is received on 

a two-out of four basis; and \^ ^ 

J. ^ ^ •• 
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10 



taking pre-determined corrective action if said trip signal is 

detected. 

21 . A method for monitoring all safety related system parameters 
within a nuclear power plant as in claim 20, wherein said step of receiving a 
second plurality of conditioned digital input signals representative of a sensed 
parameter further includes the steps of: 

receiving an analog signal representative of the sensed parameter; 

and 

converting said analog signal to a digital signal representative of 
the sensed parameter. 

22. A method for monitoring all safety related system parameters 
within a nuclear power plant as in claim 21, wherein said step of taking pre- 
determined corrective action further includes the steps of: 

providing said trip signal to reactor trip breakers; and 
providing said trip signal to a Digital Engineered Safety Features 
Actuation System. 



20 23. A digital plant protection system, comprismg: 

means for cross-connecting a first plurality of substantially 
identical independent processing channels; 

within each said channel further comprising: 

means for receiving a second plurality of conditioned digital input 
25 signals representative of a sensed parameter; 

means for comparing said digital input signals with a first pre- 
determined stored digital value indicative of a pre-trip condition; 

means for generating a pre-trip output to all said channels if said 
pre-trip condition is detected; 



IS 
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means for comparing said digital input signals with a second pre- 
determined stored digital value indicative of a trip condition; 

means for generating a trip output to all said channels if said pre- 
trip condition is detected; 
5 receiving trip ouputs from all said channels if said trip condition is 

detected; 

means for providing a trip signal if said pre-trip condition is 
detected within said channels on a two-out of four basis; and 

means for taking pre-determined corrective action if said trip signal 

10 is detected. 



24. A digital plant protection system as in claim 23, wherein said 
means for receiving a second plurality of conditioned digital input signals 
representative of a sensed parameter further includes: 
15 means for receiving an analog signal representative of the sensed 

parameter; and 

means for converting said analog signal to a digital signal 
representative of the sensed parameter. 

20 25. A digital plant protection system as in claim 24, wherein said 

means for taking pre-determined corrective action further includes: 

means for providing said trip signal to reactor trip breakers; and 
means providing said trip signal to a Digital Engineered Safety 
Features Actuation System. 

25 

26. A digital plant protection system as in claim 25, wherein said 
means for cross-connecting and said means for receiving pre-trip signals is by 
fiber optic data links. 
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27 A digital plant protection system for use in nuclear power plants, 
comprising: 

a plurality of sensors providing analog output representative of a 
sensed parameter, said output received by an analog-to-digital converter for 

5 providing a digital value representative of said sensed parameter; 

four substantially identical independent sensed-parameter 
processing channels, each of which accepts said digital value representative of 
said sensed-parameter; 

a digital comparator associated with each said sensed-parameter 

10 processing channel for comparing said digital value of said sensed parameter with 
a fu^ predetermined digital value indicative of a pre-trip condition and generating 
a pre-trip output if said pre-trip condition is detected, said pre-trip output provided 
to all four of said channels, said digital comparator comparing said digital value of 
said sensed parameter with a second predetermined digital value indicative of a 

15 trip condition and generating a trip output if said trip condition is detected, said 
trip output provided to all four of said channels; 

a coincidence logic processor associated with each said sensed- 
parameter processing channel for receiving said trip output from said digital 
comparator, said coincidence logic processor further cross-connected to every 

20 sensed-parameter processing channels for receiving separate trip outputs from 
digital comparators within each said channel, wherein said coincidence logic 
processor generates a trip signal for effecting remedial action upon receipt of two- 
out-of-four trip outputs from said digital comparators within each said channel, 
wherein said trip signal for effecting remedial action is received by a Digital 

25 Engineered Safety Features Actuation System and by reactor trip breakers. 
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